Commit graph

2 commits

Author SHA1 Message Date
37edbbb9b6 feat: add bearer-authenticated password change API
All checks were successful
continuous-integration/drone/push Build is passing
Add POST /api/v1/password endpoint accepting a JSON body
(username, old_password, new_password) protected by a shared
Bearer token (CHANGE_API_SECRET / -change-api-secret). It verifies
the current password via an LDAP bind before applying the change,
matching the alps "password" plugin bearer flow.

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-07-02 23:00:42 +08:00
54b74fb233 fix(security): enforce 128-character maximum password length
All checks were successful
continuous-integration/drone/push Build is passing
SHA-512 crypt has no 72-char truncation like bcrypt, but an unbounded
password length allows DoS via CPU exhaustion. Caps input at 128 chars
and adds unit tests for boundary conditions in checkPasswdConstraint.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-23 10:44:52 +07:00